Merge pull request #421 from silkimen/feat/#420-implement-blacklist-to-disable-TLS-protocols-on-Android

feat: #420 implement blacklist to disable unsafe SSL/TLS protocol ver…
2026-05-31 00:00:07 +08:00 · 2021-07-15 14:35:24 +02:00
parent 9d6005af29 060794354d
commit d077d02062
9 changed files with 74 additions and 22 deletions
@@ -1,5 +1,9 @@
 # Changelog

+## 3.2.0
+
+- Feature #420: implement blacklist feature to disable SSL/TLS versions on Android (thanks to @MobisysGmbH)
+
 ## 3.1.1

 - Fixed #372: malformed empty multipart request on Android
@@ -34,6 +34,15 @@ phonegap plugin add cordova-plugin-advanced-http
 cordova plugin add cordova-plugin-advanced-http
 ```

+### Plugin Preferences
+
+`AndroidBlacklistSecureSocketProtocols`: define a blacklist of secure socket protocols for Android. This preference allows you to disable protocols which are considered unsafe. You need to provide a comma-separated list of protocols ([check Android SSLSocket#protocols docu for protocol names](https://developer.android.com/reference/javax/net/ssl/SSLSocket#protocols)).
+
+e.g. blacklist `SSLv3` and `TLSv1`:
+```xml
+<preference name="AndroidBlacklistSecureSocketProtocols" value="SSLv3,TLSv1" />
+```
+
 ## Usage

 ### Plain Cordova
@@ -1,6 +1,6 @@
 {
  "name": "cordova-plugin-advanced-http",
-  "version": "3.1.1",
+  "version": "3.2.0",
  "description": "Cordova / Phonegap plugin for communicating with HTTP servers using SSL pinning",
  "scripts": {
    "updatecert": "node ./scripts/update-e2e-server-cert.js && node ./scripts/update-e2e-client-cert.js",
@@ -8,6 +8,7 @@
    <engine name="cordova" version=">=4.0.0"/>
  </engines>
  <dependency id="cordova-plugin-file" version=">=2.0.0"/>
+  <preference name="AndroidBlacklistSecureSocketProtocols" default="SSLv3,TLSv1"/>
  <js-module src="www/cookie-handler.js" name="cookie-handler"/>
  <js-module src="www/dependency-validator.js" name="dependency-validator"/>
  <js-module src="www/error-codes.js" name="error-codes"/>
@@ -47,6 +47,13 @@ public class CordovaHttpPlugin extends CordovaPlugin implements Observer {

      this.tlsConfiguration.setHostnameVerifier(null);
      this.tlsConfiguration.setTrustManagers(tmf.getTrustManagers());
+
+      if (this.preferences.contains("androidblacklistsecuresocketprotocols")) {
+        this.tlsConfiguration.setBlacklistedProtocols(
+          this.preferences.getString("androidblacklistsecuresocketprotocols", "").split(",")
+        );
+      }
+
    } catch (Exception e) {
      Log.e(TAG, "An error occured while loading system's CA certificates", e);
    }
@@ -13,9 +13,10 @@ import javax.net.ssl.TrustManager;
 import com.silkimen.http.TLSSocketFactory;

 public class TLSConfiguration {
-  private TrustManager[] trustManagers;
-  private KeyManager[] keyManagers;
-  private HostnameVerifier hostnameVerifier;
+  private TrustManager[] trustManagers = null;
+  private KeyManager[] keyManagers = null;
+  private HostnameVerifier hostnameVerifier = null;
+  private String[] blacklistedProtocols = {};

  private SSLSocketFactory socketFactory;

@@ -33,6 +34,11 @@ public class TLSConfiguration {
    this.socketFactory = null;
  }

+  public void setBlacklistedProtocols(String[] protocols) {
+    this.blacklistedProtocols = protocols;
+    this.socketFactory = null;
+  }
+
  public HostnameVerifier getHostnameVerifier() {
    return this.hostnameVerifier;
  }
@@ -46,12 +52,7 @@ public class TLSConfiguration {
      SSLContext context = SSLContext.getInstance("TLS");

      context.init(this.keyManagers, this.trustManagers, new SecureRandom());
-
-      if (android.os.Build.VERSION.SDK_INT < 20) {
-        this.socketFactory = new TLSSocketFactory(context);
-      } else {
-        this.socketFactory = context.getSocketFactory();
-      }
+      this.socketFactory = new TLSSocketFactory(context, this.blacklistedProtocols);

      return this.socketFactory;
    } catch (GeneralSecurityException e) {
@@ -5,6 +5,9 @@ import java.net.InetAddress;
 import java.net.Socket;
 import java.net.UnknownHostException;

+import java.util.Arrays;
+import java.util.stream.Stream;
+
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.SSLSocketFactory;
@@ -12,9 +15,11 @@ import javax.net.ssl.SSLSocketFactory;
 public class TLSSocketFactory extends SSLSocketFactory {

  private SSLSocketFactory delegate;
+  private String[] blacklistedProtocols;

-  public TLSSocketFactory(SSLContext context) {
-    delegate = context.getSocketFactory();
+  public TLSSocketFactory(SSLContext context, String[] blacklistedProtocols) {
+    this.delegate = context.getSocketFactory();
+    this.blacklistedProtocols = Arrays.stream(blacklistedProtocols).map(String::trim).toArray(String[]::new);
  }

  @Override
@@ -55,9 +60,18 @@ public class TLSSocketFactory extends SSLSocketFactory {
  }

  private Socket enableTLSOnSocket(Socket socket) {
-    if (socket != null && (socket instanceof SSLSocket)) {
-      ((SSLSocket) socket).setEnabledProtocols(new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" });
+    if (socket == null || !(socket instanceof SSLSocket)) {
+      return socket;
    }
+
+    String[] supported = ((SSLSocket) socket).getSupportedProtocols();
+
+    String[] filtered = Arrays.stream(supported).filter(
+      val -> Arrays.stream(this.blacklistedProtocols).noneMatch(val::equals)
+    ).toArray(String[]::new);
+
+    ((SSLSocket) socket).setEnabledProtocols(filtered);
+
    return socket;
  }
 }
@@ -27,4 +27,5 @@
        <allow-intent href="itms-apps:*" />
    </platform>
    <preference name="AndroidPersistentFileLocation" value="Internal" />
+    <preference name="AndroidBlacklistSecureSocketProtocols" value="SSLv3,TLSv1" />
 </widget>
@@ -104,9 +104,13 @@ const helpers = {

    return buffer;
  },
+  isTlsBlacklistSupported: function () {
+    return window.cordova && window.cordova.platformId === 'android';
+  }
 };

 const messageFactory = {
+  handshakeFailed: function() { return 'TLS connection could not be established: javax.net.ssl.SSLHandshakeException: Handshake failed' },
  sslTrustAnchor: function () { return 'TLS connection could not be established: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.' },
  invalidCertificate: function (domain) { return 'The certificate for this server is invalid. You might be connecting to a server that is pretending to be “' + domain + '” which could put your confidential information at risk.' }
 }
@@ -1014,8 +1018,7 @@ const tests = [
    before: helpers.setRawSerializer,
    func: function (resolve, reject, skip) {
      if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
      }

      var targetUrl = 'http://httpbin.org/post';
@@ -1036,8 +1039,7 @@ const tests = [
    expected: 'rejected: {"status":-8, "error": "Request ...}',
    func: function (resolve, reject, skip) {
      if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
      }
      var url = 'https://httpbin.org/drip?duration=2&numbytes=10&code=200';
      var options = { method: 'get', responseType: 'blob' };
@@ -1064,8 +1066,7 @@ const tests = [
    expected: 'rejected: {"status":-8, "error": "Request ...}',
    func: function (resolve, reject, skip) {
      if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
      }
      var sourceUrl = 'http://httpbin.org/xml';
      var targetPath = cordova.file.cacheDirectory + 'test.xml';
@@ -1097,8 +1098,7 @@ const tests = [
    expected: 'rejected: {"status":-8, "error": "Request ...}',
    func: function (resolve, reject, skip) {
      if (!helpers.isAbortSupported()) {
-        skip();
-        return;
+        return skip();
      }


@@ -1148,6 +1148,21 @@ const tests = [
      }
    }
  },
+  {
+    description: 'should reject connecting to server with blacklisted SSL version #420',
+    expected: 'rejected: {"status":-2, ...',
+    func: function (resolve, reject, skip) {
+      if (!helpers.isTlsBlacklistSupported()) {
+        return skip();
+      }
+
+      cordova.plugin.http.get('https://tls-v1-0.badssl.com:1010/', {}, {}, resolve, reject);
+    },
+    validationFunc: function (driver, result) {
+      result.type.should.be.equal('rejected');
+      result.data.should.be.eql({ status: -2, error: messageFactory.handshakeFailed() });
+    }
+  },
 ];

 if (typeof module !== 'undefined' && module.exports) {